General considerations

A considerable experience base of I&C projects has been collected over many years. This experience base shows the need for a systematic approach of dividing the project into well-defined phases and planning these phases carefully. This section discusses the general considerations for implementing I&C projects.

Implementing an I&C project is an engineering process which involves three distinct parties: the utility, the vendors and the regulator. It is therefore recommended that all parties establish a common understanding of the I&C project, and their roles clearly defined, at an early stage in the project. This will allow the process to take into consideration the needs of all parties, and increase the chance that the expectations of all parties are met.

During its life cycle, the I&C system must be adequately maintained by performing periodic inspections and testing of the platform and the applications.

4.1.1. Interfacing plant and I&C design

Plant design and I&C design are closely interrelated. Therefore, it should be ensured that the I&C design is consistent with the plant design. One example is the design of start up and shut down sequences. In order to create a common understanding of sequences, triggering events and plant conditions, which the I&C design must comply with, a close interaction between process and I&C engineers is necessary. This will set the requirements for I&C systems in terms of signals, triggering levels and control requirements.

The I&C design should also interface with building, cabling, control rooms and component layouts.

Therefore, it is important to understand where certain physical systems and equipment are placed to design cable routes and penetrations through pressure boundaries.

4.1.2. Requirement specification

Developing the requirement specification has proven to be the most important phase in all I&C projects. It is necessary to carefully document, with as much detail as possible, the functions of the I&C system and the requirements of those functions. In developing the requirements, care should be taken to ensure that they are as complete as possible, cover all plant states and assumed abnormal conditions, and that they specify the performance required. It is often beneficial to use some kind of computerized specification tool by which the requirements can be managed and analyzed. The requirement specification should go through a detailed and accepted V&V process before being released for use.

4.1.3. Stages of design

The main principle in the design of I&C systems is to apply a top down approach with continuous refine-ments. Another good design principle is to proceed as long as possible with a system independent functional design, where the HW platform and SW are selected after the design has stabilized. Typical platforms offer considerable flexibility but still have their own unique functionality, which may require additional considerations in the functional design.

Most I&C design projects go through several iterations, where candidate designs are created and analyzed with respect to the requirements. With each iteration, the design incorporates a larger degree of detail. Because later stages of design are built on earlier stages, it is a common practice to freeze the design at suitable points when the design is considered mature enough. Sometimes it may also be necessary to back off from solutions that have been selected in an earlier stage of the design. If there is a need for a change later in the design process after it has been frozen, it is important that all influences of the change are properly accounted for. This implies that design freedom will decrease as the project progresses and the costs of changes increase.

In practice, the design process is separated into different stages: conceptual, system, and detailed design, where each stage of the design is carried to a point in which no large changes are expected and the design conse-quently can be frozen. Before moving from an earlier phase of design to the next, it is important that the design and the documentation are reviewed thoroughly. An illustration of these relationships in a design project is given in Fig. 2, where the conceptual design defines the design frame for the systems design, which in turn does the same for the detailed design.

4.1.4. I&C implementation using a qualified platform

There are benefits in using pre-qualified platforms for I&C systems which are important to safety (category A and B). For operational I&C functions the use of a Commercial Off The Shelf (COTS) platform with wide market penetration is recommended for lower cost as well as for support and life cycle reasons (for other categorization schemes, see Table 2). The use of I&C systems based on platforms that have a large installation base is generally preferred due to the greater likelihood of platform stability and future support options.

It is recommended that the utility ask the invited suppliers for specific statements regarding the possibility to qualify the proposed platform. This may require scrutiny of HW and SW architectures, design and development processes, and testing data. This information should be presented with well-structured require-ments together with evidence that the platform fulfills these requirerequire-ments. If a qualified platform is used, the assumption is that all application SW can be written and configured without changing the system SW. In addition, the application SW can be written with a previously qualified tool.

For a qualified platform, it can usually be expected that many different tools can be used to support the requirement specification, the application programming, V&V, documentation and version management. It is important that the utility has a good understanding of these tools and is prepared to use them during the modernization project.

The vendor approach to V&V and testing is of great interest. The information should be detailed enough to enable the utility to estimate realistically the structure, scope and timing of needed audits of the discussed processes, professional skills required from auditors etc. In addition, an “acceptance in principle” of the proposed processes by the regulatory body may be needed.

4.1.5. Contractual arrangements

I&C projects are typically agreed upon with a contract between the utility and one or several vendors. The main responsibility for I&C functions to be modernized is typically given to the vendor, but sometimes the utility may also engage themselves in creating the applications design.

A further complexity in contractual arrangements may be created through the use of several levels of subcontractors by the utility and the vendor. Multiple levels of subcontractors should be avoided whenever possible and the utility should assure its right to accept or decline subcontractors. The qualification of the subcontractors should meet the requirements of the project for the specific work package or delivery assigned to them.

Special attention should also be paid in the contract to describe the responsibilities for covering any extra costs. These extra costs may be incurred for changes not anticipated, but required, by licensing or safety authorities in the course of the project. A typical arrangement is that the parties agree upon some kind of plus and minus list for the influence of price changes.

The requirements for the vendor to be able to deliver technical support and spares after the delivery of the project should be defined in the contract. The requirement that the user should be informed about changes in the platforms should also be included in the contract.

4.1.6. Documentation

At the very beginning of the project, both basic and detailed requirements on the documentation have to be specified and agreed on. This implies, for example, for agreements on what should be delivered on paper, what should be delivered electronically, and the required format for each. This does not only address what kind of documentation that should be created or delivered, but also addresses formal aspects like numbering, titles etc., as well as respective requirements originating from plant standards or the document management system (DMS). The DMS should be used to archive and manage the as-built project documentation and the product documentation.

The project documentation, especially signal flow diagrams (SFDs) and function block diagrams (FBDs), should be clear and accurate for use by the maintenance and operations personnel as well as other project participants. The parties should also agree upon the procedures for reviewing the documentation.

The project documentation is a result of the different design, engineering, quality assurance (QA), V&V and test activities; its main components are:

— Design documentation;

— V&V documentation;

— Test documentation (factory test, commissioning, etc.);

— Installation documentation;

— Licensing documentation;

— Spare parts list.

The as-built documentation must be compatible with the DMS of the utility, which could be a stand-alone system or part of an integrated plant management (information) system. It is also important to have all relevant product documentation for procurement of spare parts and service reasons.

4.1.7. Training

Training must be carefully planned and adapted for the different users in the utility, primarily the operational and maintenance staff. Training should start before implementation of the new system and functions in the plant.

Maintenance and plant engineering personnel should be involved in the system design as early as possible and should participate in the engineering activities and factory test activities to acquire appropriate knowledge.

The training of the operating personnel should be in phases starting with basic training for handling the HSI leading up to comprehensive training of the new HSI and functions in the plant simulator. This training should, if feasible, be performed before the factory acceptance test (FAT) and be used as an additional V&V activity to validate the new system. All negative findings should be carefully analyzed and the necessary error corrections and improvements should be implemented in the system.

After any final rework, the FAT should be performed and a second round of training should be executed with the reworked function before the upcoming outage in which the implementation is scheduled to occur.

4.1.8. Planning

Any I&C project should be placed within the general framework of plant life management. This means that necessary relationships with other potential or planned modifications should be considered in the planning of the I&C project. The need for future modifications may emerge from many diverse considerations such as adaptations to new regulatory requirements, utilization of opportunities for power upgrades, and replacing obsolete plant equipment. Planning for future modifications is especially important for digital technology because the lifetime of digital systems is typically much shorter than that of the plant. This may initiate the need for more than one upgrade of the same system during the plant lifetime. Designing highly reusable requirement specifications and functional designs can at least partly address this need. No general guidelines can be given for the type, scope and sequence of an I&C modernization project. Each one depends on a vast amount of project constraints and factors, which differ from plant to plant because of their age, installed base, implemented concepts, etc. [7]. In the planning of I&C projects, it is also wise to investigate the possibility of increasing plant safety and plant capabilities by introducing new functions in the I&C [8, 9].

It is often a good idea to involve two or more vendors during the generation of a pre-project conceptual study to establish basic design philosophies. This arrangement also provides an opportunity for the utility to learn about the available technologies as well as opportunities for the potential vendors to acquire an under-standing of the plant design and the intent of the modernization.

A project leader should be appointed early in the project. The project leader should have a very broad and deep understanding of the operation of the NPP and its I&C systems. This person will have to mediate between the involved parties and ensure that the project is successfully completed. There are many potential sources of resistance against a modernization project from many areas within the plant organization, even if the need is recognized and accepted; thus, it is essential that the project leader is directly supported by management personnel at the appropriate level.

4.1.9. Basic planning for the I&C modernization

Regardless of the reason for the I&C modernization and the intended strategy, some very basic investiga-tions and considerainvestiga-tions have to be performed. It is very valuable to start with a pre-project plan that considers

most important project constraints is the intended remaining operational lifetime of the plant. Large moderni-zation projects may not be economically justifiable when the remaining operation life of the plant is short.

As the remaining lifetime increases, choosing the start time and establishing a schedule for the I&C modernization becomes more important. A common goal is to avoid the necessity to repeat an overall modernization during the remainder of the plant’s operational lifetime by ensuring that a smooth migration/

upgrade path for the system is possible and can be conducted in manageable steps. In such a way, the shorter life cycles of digital I&C can be addressed while the possibility to further implement advanced techniques or appli-cations in the system remains feasible. Here the project manager and/or the decision makers can end up in a conflict that originates from the requirements of many authorities to keep the plant I&C equipment at the state of the art, while maximizing the benefit of proven operational experience and technology maturity.

Given a long remaining lifetime for operational I&C (systems not important to safety and not requiring licensing approvals), there is a tendency towards the use of new products with an associated lack of available operational experience and increased risk of being subject to immaturity problems. At a minimum, the core of the system infrastructure must be long-lived (e.g. networks). Given a rather short remaining lifetime, an older platform may be used if the supply of spare parts and support can be assured for the remaining operational life of the plant.

For modernization projects, another important decision in the basic planning is to select and define the scope of the project. Perhaps the easiest solution is to plan for equivalent functionality, but it is often advisable to also consider the introduction of new or improved functionality. The final decision depends on several contributing factors such as the original design of the plant, its remaining lifetime, operational experience and regulatory requirements. The potential for plant life extension should also be considered when classifying the remaining plant lifetime.

Regardless of the type of modernization, there are always certain basic considerations to be made before the start of the project. Typical considerations are:

— Licensing;

— Interfaces between the existing and the new I&C;

— HSI/human factors engineering (HFE) aspects.

HSI aspects should be considered early in the project as it is the interface between the existing and new parts of a control room or control location. This may have an influence on the boundaries of the modernization steps due to requirements originating from operator's tasks. If not properly accounted for at the beginning, it may be difficult, costly, or impossible to comply with these requirements later in the project.

4.1.10. Design base

As soon as the intended scope of the modernization is defined, it is necessary to assess if the existing design base documentation fulfills the necessary requirements that the I&C modernization demands. Sometimes it may be necessary to regenerate the design base. This applies not only to the design base of the I&C systems or equipment, but also to the process systems to be controlled and monitored. The assessment of the design base and its potential reconstitution may require considerable resources with adequate tacit knowledge. In addition, it is necessary to comply with the requirements and boundaries of the Safety Analysis Report (SAR) and the plant’s technical specification. This is the underlying limiting condition for the requirement specification.

4.1.11. Timing of I&C modernization

In general, it may be assumed as a normal case that I&C modernization alone will not present an acceptable business justification for a prolonged outage due to the high cost of production losses. Thus, most

I&C modernizations will be done during normal outages, which becomes more and more challenging since all plants target shorter outage times to increase the economy of the plant. Due to this trend towards shorter outages, installation and commissioning becomes even more challenging and raises questions about the number of modernization steps with additional costs (e.g. for temporary interfaces) versus the cost for a prolonged outage.

Extended outages are mostly in conjunction with refurbishment or replacement of large plant components (e.g. steam generators). During these extended outages, large I&C system replacements can occur with no impact on the outage schedule. Therefore, a plant should have and maintain a long-term maintenance and modernization plan and the responsible I&C manager has to take this into consideration when planning an I&C modernization.

4.1.12. Master project plan

The master project plan defines the boundaries of the overall project and forms the basis for the subsequent detailed plans. The master project plan is the top document controlling the overall project. The plan contains the tasks and goals for the project, including time and budget limits, project organization, and QA.

Without limitations the project may expand, and will therefore have problems staying on schedule and within the budget. The master project plan is at the highest hierarchical level and can point to other separate more detailed plans for different tasks.

One should emphasize the importance of a coherent and consistent set of project plans even if, and especially if, there are several suppliers or a supplier consortium with several companies involved. Multiple plans or conflicting plans from different companies must be avoided. As part of the project plans, procedures including checklists for periodic tests of the I&C system should be developed and the required frequency for these tests defined. In addition, procedures with checklists for the complete or partial restart of the I&C systems after a complete or partial power supply failure should be prepared. If possible these procedures should be tested during the factory tests of the platform (see Section Testing and validation phase).

There should always be provisions for making modifications to the plans when such needs are identified and justified. However, it is very important that such modifications are carried out with the same scrutiny as the original plans.

4.1.13. Implementation

A move from preliminary planning to implementation is typically taken when the preliminary plans have been accepted and a firm allocation of resources is in place. This usually implies a finalization of the preliminary plans and a preparation of various documents that will be used in the tendering phase. This section describes the interactions between the utility and the vendor after the decision to proceed has been made by the utility.

A modernization project may consist of one or more steps depending on the scope of the project and outage schedule (see Fig.3). Each step should include considerations for any necessary modifications of the control room and training simulator. If a project consists of more than two or three steps, and if it is intended to

A modernization project may consist of one or more steps depending on the scope of the project and outage schedule (see Fig.3). Each step should include considerations for any necessary modifications of the control room and training simulator. If a project consists of more than two or three steps, and if it is intended to